Microsoft Windows forensics

Initial questions to ask

If it stores confidential data, we have to be particularly thorough in the investigation and follow procedures very carefully.

There may be cases where it is appropriate to run a tool like Cornell’s Spider or UTexas-Austin’s SENF (Sensitive Number Finder) to find all instances of confidential data.

Should I image the disk drive(s)?

Imaging is important to preserve original evidence, esp. if it is a criminal investigation or it might end up in litigation, since forensics activities typically alter potential evidence like file access times. Ideally, you should immediately make a duplicate image of the original drive and do forensics on the duplicate. This may require installing the drive with the duplicate image in the suspect computer and booting from the duplicated drive, so make sure that the drive used to make the duplicate has the same interface as the original (IDE, SATA, etc.). Label the original and store it in a locked, secure location.

If the computer stores confidential data, image the hard drive(s) and preserve the original since it may require forensics analysis to determine if the confidential data was compromised. If it is caught quick enough, network flow data can also be used to help determine if confidential data was accessed. NTS only keeps about 2 weeks of flow data.

Client Services in iTAC has devices for making copies of hard drives - both software imaging and hard drive duplicating.

Imaging may not be necessary for all incidents.

Imaging is a challenge with a RAID configuration or disk storage on a SAN.

Should I turn the computer off, or unplug the network cable, or disable the wireless interface?

Turning the computer off may destroy memory-resident evidence, so don’t turn it off until you know it’s safe to do so.

Unplug the network cable or disable the wireless network interface, then contact the University IT Security Officer to discuss next steps.

How quickly can I repair the computer and get it back into production?

This may be particularly important if it is a production server providing critical services.

If the compromised system must be preserved for forensics analysis and/or evidence preservation, you may have to restore the service and data onto a different computer from backup media that was created before the compromise. You will also have to address the vulnerability that was exploited before putting the service back online. For example, this may involve applying a security patch.

Discuss this with the University IT Security Officer

What is required to recover from the compromise?

Compromises that allow remote control of a computer such that arbitrary commands can be executed will require reformatting the hard drive and reinstalling the operating system and all applications from scratch or from backup media created before the compromise. This is the only way to guarantee that all malware has been removed.

The vulnerability that resulted in the compromise must also be addressed before the computer can be put back into production on the network. All security patches for the OS and applications must be applied.

The University IT Security Officer decides when a particular type of compromise requires a reformat/reinstall.

General principles

Contact the University IT Security Officer immediately if you suspect a security incident.

Inform your supervisor and department head.

Involve law enforcement if you suspect criminal activity; contact the K-State Police first.

The Office of the University Attorney may need to be notified as well; the University IT Security Officer can assist you with that.

Document everything you do during the investigation, especially if it is a criminal investigation, internal personnel investigation, or student code of conduct violation.

Label evidence and store it in a secure location.

Beware of forensics activities that might alter evidence.

Do not start repairing the computer until cleared to do so by the University IT Security Officer.

Preserving Evidence

The problem with electronic evidence is that nearly all forensics techniques are destructive in some way. For example, when you view a file to see if it contains relevant evidence, the file access time is updated.

It is best to “freeze” the hard drive(s) in their current state, make an image copy, and do forensics on the copy. Can re-image the copy from the original to restore pristine state for further analysis.

This may not be necessary if it is not a legal or internal personnel investigation.

If you need to try to recover deleted files or file fragments, do a bit-by-bit copy of the entire hard drive, which copies every bit on the disk, not just the allocated blocks. This is sometimes called a “duplicate copy.” Otherwise, copying just the actual data may be adequate (sometimes called a “smart sector copy”).

“Chain of custody” (also called “chain of evidence”) tracks the history of the evidence from the moment it is seized to the time it is submitted to the court. In criminal cases, you must document the chain of custody to prove that what you are showing in court is exactly what you collected.

Normally, it is adequate to simply document the whereabouts of the evidence and who handled it at all times, keeping the evidence locked up when not in use, and being prepared to testify to that effect in court.

In sensitive criminal cases, it is best to digitally sign evidence files.

You may also want the police to accompany you when performing forensics, or contract with a third party to perform the forensics analysis.

Don’t leave the evidence unattended where someone else could get access.

Is helpful to have the police store the evidence.

Photograph the computer in its original location, and in the shop when you’re ready to start your forensics analysis (front, back, sides). This is helpful for the chain of custody record.

Best practice is to have an “evidence bag” to transport and store things like tapes, USB thumb drives, CDs, etc. Store electronic devices in anti-static bags.

Evidence may be in memory, not on disk, which is destroyed when you turn off the computer. Are techniques to dump an image of the memory before turning off the computer.

If it is necessary to login to a computer and run an application as part of the investigation, replace the original hard drive with a copy and boot from the copy.

Procedures

These are in no particular order. The order you would follow depends on the nature of the investigation.

Use Google to search for a process name to determine its function or if it is malicious.

Check Scheduled Tasks to see if any have been added.

XP: Start->Programs->Accessories->System Tools->Scheduled Tasks.

Vista: Start->Programs->Accessories->System Tools->Task Scheduler.

Also check scheduled tasks log file (pull down the Advanced menu in the “Scheduled Tasks” window, and select “View Log”.

The log file is a text file: C:\WINDOWS\SchedLgU.txt

Windows commands “at” and “schtasks” (“at” tasks slightly different, don’t always show up in the list of tasks in the “Scheduled Tasks” window or the “schtasks” command.

Check the registry for programs that automatically start at boot time.

Run regedit.exe in a Windows command window, and search for

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run – these programs automatically start when any user is logged in. It is used for all users on this computer.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce – The programs here start only once when any user is logged in and will be removed after the Windows boot process would have finished.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx – The programs here start only once when any user is logged in and will be removed after the Windows boot process would have finished. Also the RunOnceEx registry key does not create a separate processes. The RunOnceEx registry key also support a dependency list of DLLs that remain loaded while either all the sections or some of the sections are being processed.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices – these programs automatically start when the system is loading before the user logs in. It is used for service applications - antivirus, drivers etc. In Windows NT/2000/XP it could be canceled by admin to use other service startup sections.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce – these programs automatically start only once when the system is loading as service application and items are deleted after the Windows boot process have finished.

Check browser cookies and cache.

Check IE and Firefox, or any other browsers you find installed on the computer.

There are commercial and freeware tools that simplify examining browser data.

Internet Explorer:

Cookies are in c:\Documents and Settings\username\Cookies; each cookie is a separate file with the file name reflecting the website for which the cookie was set. View the folder in “Details” format to see file name and modify/create/access times.

History is in c:\Documents and Settings\username\Local Settings\History

Cache is in c:\Documents and Settings\username\Local Settings\Temporary Internet Files\

In Windows Vista, the Cache is in C:\Users\username\AppData\Local\Microsoft\Windows\Temporary Internet Files\

With IE7, you can start the browser, pull down the Tools menu, select “Internet Options”, then the “General” tab. In the “Browsing history” section, select Settings to see the current location for the cache. To view the cache content, select “View Files”. This will list the cookies and the cache content in a normal Windows Explorer window where you can sort them by name, Internet address, date last accessed, do a search, etc.

Firefox

Files of interest are kept in the folder C:\Documents and Settings\username\ApplicationData\Mozilla\Firefox\Profiles\4u815odq.default (the last folder name in this path is unique to each installation). In Vista, they’re in C:\Users\username\AppData\Local\Mozilla...

Cookies are in a single text file named “cookies”.

History is in the same folder in file named “history” – can view with WindowsVI, but it’s in “Mork” format (http://en.wikipedia.org/wiki/Mork_(file_format) so it’s not very intelligible when viewed with a text editor.

By default, Firefox only keeps history for 9 days.

Bookmarks are in an HTML file named “bookmarks.html” in the same location. Load it into a browser to view.

Cache is in a folder of that name; seems to only keep a few days of pages.

You can view cache from within Firefox by entering “about:cache” as the URL.

Stored passwords are in the same location, file signon.txt

Check Windows Event Logs.

On XP, are stored in c:\windows\system32\config

SecEvent.Evt = security event log

SysEvent.Evt = system event log

AppEvent.Evt = application event log

Event Log Viewer is in control panel, Administrative Tools, Event Viewer. Can launch from the command line with “eventvwr.exe”.

From the File menu in the Event Viewer, you can open a different log file to look at event logs from a different disk drive (like a boot drive moved from a compromised computer).

Check application or database logs for access information, esp. if it is a server.

Beware that OfficeScan will by default quarantine or delete the malware it finds, potentially altering or destroying evidence; is very difficult to recover a quarantined file in Trend Micro.

Check antivirus event logs and quarantine folder.

Look for rootkits.

By design, rootkits are difficult to detect.

“Rootkit Revealer” from Sysinternals can detect some rootkits; beware of false positives since some software, like anti-virus tools or personal firewalls intentionally hide items (try to hide them from attackers, for example).